[security] Phishing-Resistant Authentication definition
Dick Hardt
dick at sxip.com
Tue Nov 20 21:32:46 UTC 2007
Recently this definition of Phishing-Resistant Authentication was
proposed:
>>
>> · Phishing-Resistant Authentication
>> An authentication mechanism where the End User does not provide
>> shared secrets to a party potentially under the control of the
>> Relying Party that could enable that party to then authenticate
>> elsewhere as if it were the End User. (Note that the potentially
>> malicious Relying Party controls where the User-Agent is
>> redirected to and thus may not send it to the End User's actual
>> OpenID Provider).
Given the rise of nasty MITM malware, I hope that we all agree that
PAPE is not intended to protect the user from malware on their own
machine, but to protect the user from malicious websites. If so,
would it make sense to enhance the definition to reflect this?
-- Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20071120/5bca698b/attachment-0001.htm>
More information about the security
mailing list